Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91637 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Livesecuritycenter problem


  • This topic is locked This topic is locked
41 replies to this topic

#1 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 26 March 2008 - 05:28 PM

I've looked though the site and seen simular cases of this malware fixed and i have the ame problems along with afew that havent been mentioned. the typical blue screen saying i have a infection that directs me to livesecuritycnter, the ! mark pop ups that say theres been an internet hack attempt and the Windows Security Center poping up saying i have certain problems.

*edit* ah yes failed to mention it disables my task mananger.. i geuss thats an important side effect...

along with that i have a red popup that "acts" like the security center saying i have 123Messenger problem or something like that... there is also a antivirus that keeps automatically installing itself called XPdefender and some program called Outerinfo in my program files i also have the following programs/folders that keep appearing :
180searchassistant
180searchchassistant
180solutions
Bat
Outerinfo
Qdrdrive
seekmo
stc
Sysmnt
zango

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:07 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sbwltbxa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\XNeat Windows Manager\xnViewer.exe
C:\Program Files\XNeat Windows Manager\XNeatWM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sea-o.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.runebodker.dk/undead.jpg
O24 - Desktop Component 1: (no name) - http://www.pwnedlist...../Planet 2.jpg
O24 - Desktop Component 2: (no name) - http://www.pwnedlist.....ce Planet.jpg
O24 - Desktop Component 3: (no name) - http://www.pwnedlist.....ed Planet.jpg
O24 - Desktop Component 4: (no name) - http://www.pwnedlist...y_Lammalord.jpg
O24 - Desktop Component 5: (no name) - http://www.solarvoya...bution-1600.JPG
O24 - Desktop Component 6: (no name) - http://gallery.artof...ia_1024x768.jpg

--
End of file - 8454 bytes



SmitFraudFix v2.216

Scan done at 16:25:47.21, Wed 03/26/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.runebodke....dk/undead.jpg"
"SubscribedURL"="http://www.runebodke....dk/undead.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.pwnedlist...s/Planet 2.jpg"
"SubscribedURL"="http://www.pwnedlist...s/Planet 2.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://www.pwnedlist...Ice Planet.jpg"
"SubscribedURL"="http://www.pwnedlist...Ice Planet.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by Lammalord, 26 March 2008 - 05:37 PM.

    Advertisements

Register to Remove


#2 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 28 March 2008 - 05:15 PM

okay i found and ran a trail version of some freeware antivirus, i belive it was Spy Doctor (one time use trial) and it seemed to remove the pop-up's but i still want to be sure everything is gone, hes a new log:

note - the folders DO still exist in my program files but i have not deleted them yet (for fear they may just re-install themselfs and start the entire process over)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:58 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\XNeat Windows Manager\xnViewer.exe
C:\Program Files\XNeat Windows Manager\XNeatWM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sea-o.net/
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.pwnedlist...../Planet 2.jpg
O24 - Desktop Component 1: (no name) - http://www.pwnedlist.....ce Planet.jpg
O24 - Desktop Component 2: (no name) - http://www.pwnedlist.....ed Planet.jpg
O24 - Desktop Component 3: (no name) - http://www.pwnedlist...y_Lammalord.jpg
O24 - Desktop Component 4: (no name) - http://www.solarvoya...bution-1600.JPG
O24 - Desktop Component 5: (no name) - http://gallery.artof...ia_1024x768.jpg

--
End of file - 6756 bytes

Edited by Lammalord, 08 April 2008 - 04:12 PM.


#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 06 April 2008 - 03:12 PM

Posted Image

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 07 April 2008 - 07:04 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:32 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\XNeat Windows Manager\xnViewer.exe
C:\Program Files\XNeat Windows Manager\XNeatWM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Journal Macro\JMacro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/user/Lammalord
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.pwnedlist...../Planet 2.jpg
O24 - Desktop Component 1: (no name) - http://www.pwnedlist.....ce Planet.jpg
O24 - Desktop Component 2: (no name) - http://www.pwnedlist.....ed Planet.jpg
O24 - Desktop Component 3: (no name) - http://www.pwnedlist...y_Lammalord.jpg
O24 - Desktop Component 4: (no name) - http://www.solarvoya...bution-1600.JPG
O24 - Desktop Component 5: (no name) - http://gallery.artof...ia_1024x768.jpg

--
End of file - 7447 bytes

#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 07 April 2008 - 08:08 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/
=========================================================================

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 07 April 2008 - 02:42 PM

ComboFix 07-11-19.3 - Owner 2007-11-25 19:39:33.1 - NTFSx86

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\NetworkService\Local Settings\Application Data\n.ini
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aruwmgty.ini
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\ijkmp.tmp
C:\WINDOWS\system32\ijubedbq.ini
C:\WINDOWS\system32\iobeupyb.dll
C:\WINDOWS\system32\kuombqav.dll
C:\WINDOWS\system32\nhfgwhcx.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\qbdebuji.dll
C:\WINDOWS\system32\vaqbmouk.ini
C:\WINDOWS\system32\wnstsisv.exe
C:\WINDOWS\system32\ytgmwura.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-25 19:37 145,984 --a------ C:\WINDOWS\system32\nhfgwhcx.dll
2007-11-24 23:58 79,936 --a------ C:\WINDOWS\system32\rwopmhif.dll
2007-11-24 23:55 775,859 --ahs---- C:\WINDOWS\system32\wyjituft.ini
2007-11-24 23:49 71,232 --a------ C:\WINDOWS\system32\whqclmwl.exe
2007-11-24 10:44 81,472 --a------ C:\WINDOWS\system32\oqhtarpj.dll
2007-11-24 10:39 775,970 --ahs---- C:\WINDOWS\system32\byjnpbdm.ini
2007-11-24 10:39 85,056 --a------ C:\WINDOWS\system32\mdbpnjyb.dll
2007-11-24 10:36 71,232 --a------ C:\WINDOWS\system32\dbabhpmn.exe
2007-11-23 21:10 775,892 --ahs---- C:\WINDOWS\system32\yorrohei.ini
2007-11-23 21:04 83,520 --a------ C:\WINDOWS\system32\kpwuxxam.dll
2007-11-23 20:49 71,232 --a------ C:\WINDOWS\system32\bigcxmlb.exe
2007-11-23 20:47 83,520 --a------ C:\WINDOWS\system32\swleibuf.dll
2007-11-23 20:44 775,832 --ahs---- C:\WINDOWS\system32\xtbfurvd.ini
2007-11-23 20:44 85,056 --a------ C:\WINDOWS\system32\dvrufbtx.dll
2007-11-23 20:40 71,232 --a------ C:\WINDOWS\system32\kxiulart.exe
2007-11-23 18:27 294 --ahs---- C:\WINDOWS\system32\oflgouqa.ini
2007-11-23 18:20 83,520 --a------ C:\WINDOWS\system32\mokbjqbg.dll
2007-11-23 18:02 <DIR> d-------- C:\VundoFix Backups
2007-11-23 17:53 83,520 --a------ C:\WINDOWS\system32\focwbpvk.dll
2007-11-23 17:49 85,056 --a------ C:\WINDOWS\system32\jaorlyiu.dll
2007-11-23 17:49 71,232 --a------ C:\WINDOWS\system32\bqnrgjng.exe
2007-11-23 16:52 705,906 --ahs---- C:\WINDOWS\system32\pmtfdrvo.ini
2007-11-23 16:52 85,056 --a------ C:\WINDOWS\system32\ovrdftmp.dll
2007-11-23 10:24 83,520 --a------ C:\WINDOWS\system32\ftjtwbgj.dll
2007-11-22 10:27 1,005,402 --ahs---- C:\WINDOWS\system32\plfayttp.ini
2007-11-22 10:24 79,936 --a------ C:\WINDOWS\system32\bjdcyuub.dll
2007-11-21 18:38 714,350 --ahs---- C:\WINDOWS\system32\dycbqndq.ini
2007-11-21 18:38 80,960 --a------ C:\WINDOWS\system32\skkxtvas.dll
2007-11-21 18:34 71,232 --a------ C:\WINDOWS\system32\rmqigdys.exe
2007-11-19 13:54 843,128 --ahs---- C:\WINDOWS\system32\efnsnebd.ini
2007-11-19 13:54 85,056 --a------ C:\WINDOWS\system32\dbensnfe.dll
2007-11-19 13:51 71,232 --a------ C:\WINDOWS\system32\wxfwmruq.exe
2007-11-17 22:18 677,201 --ahs---- C:\WINDOWS\system32\dteoqecb.ini
2007-11-17 22:15 71,232 --a------ C:\WINDOWS\system32\heqpsxgu.exe
2007-11-16 22:18 677,920 --ahs---- C:\WINDOWS\system32\bnaaqdmn.ini
2007-11-16 22:09 71,232 --a------ C:\WINDOWS\system32\selffjxs.exe
2007-11-14 15:52 71,232 --a------ C:\WINDOWS\system32\pgbwflaf.exe
2007-11-12 18:25 71,232 --a------ C:\WINDOWS\system32\ndddxihn.exe
2007-11-10 21:02 522,214 --ahs---- C:\WINDOWS\system32\rnxendxk.ini
2007-11-10 20:59 71,232 --a------ C:\WINDOWS\system32\qmoqupmb.exe
2007-11-09 21:02 522,094 --ahs---- C:\WINDOWS\system32\ofdelfvg.ini
2007-11-08 20:56 71,232 --a------ C:\WINDOWS\system32\hrxarjah.exe
2007-11-07 16:32 551,458 --ahs---- C:\WINDOWS\system32\gwnlirng.ini
2007-11-06 16:30 563,114 --ahs---- C:\WINDOWS\system32\hduiihjv.ini
2007-11-04 20:00 571,348 --ahs---- C:\WINDOWS\system32\ktpwbkjn.ini
2007-11-03 22:32 583,464 --ahs---- C:\WINDOWS\system32\jbwidlia.ini
2007-11-03 15:22 583,404 --ahs---- C:\WINDOWS\system32\jjpijfpm.ini
2007-11-03 15:22 583,344 --ahs---- C:\WINDOWS\system32\csbbdjbo.tmp
2007-11-03 13:57 583,344 --ahs---- C:\WINDOWS\system32\csbbdjbo.ini
2007-11-02 21:48 583,173 --ahs---- C:\WINDOWS\system32\pcftapvv.ini
2007-11-01 06:51 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-01 06:51 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-30 14:28 589 --a------ C:\WINDOWS\system32\rnkfavcf.dll
2007-10-29 14:25 589 --a------ C:\WINDOWS\system32\opvxhmas.dll
2007-10-29 06:37 589 --a------ C:\WINDOWS\system32\wmqjkqft.dll
2007-10-28 22:13 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-10-28 22:13 <DIR> d-------- C:\Program Files\MSECACHE
2007-10-28 16:34 <DIR> d-------- C:\Program Files\CCleaner
2007-10-28 16:18 589 --a------ C:\WINDOWS\system32\cegsthiw.dll
2007-10-27 13:52 <DIR> d-------- C:\Program Files\PCSecurityShield
2007-10-26 21:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Registry Booster
2007-10-26 16:06 67,072 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2007-10-26 15:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-10-26 14:24 479,348 --ahs---- C:\WINDOWS\system32\lyrcmsjh.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-26 03:37 145,984 ----a-w C:\WINDOWS\system32\taipnbwk.dll
2007-11-25 07:55 85,056 ----a-w C:\WINDOWS\system32\tfutijyw.dll
2007-11-24 05:05 --------- d-----w C:\Program Files\PokerStars.NET
2007-11-24 05:03 71,232 ----a-w C:\WINDOWS\system32\sypphxgk.exe
2007-11-24 02:27 85,056 ----a-w C:\WINDOWS\system32\aquoglfo.dll
2007-11-24 02:18 71,232 ----a-w C:\WINDOWS\system32\agxkyqbl.exe
2007-11-24 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-22 18:22 71,232 ----a-w C:\WINDOWS\system32\tregckyl.exe
2007-11-14 23:52 85,056 ----a-w C:\WINDOWS\system32\abywhpfa.dll
2007-11-10 04:59 71,232 ----a-w C:\WINDOWS\system32\ajcodoqc.exe
2007-11-08 00:30 71,232 ----a-w C:\WINDOWS\system32\tvrrwvsq.exe
2007-10-29 06:01 --------- d-----w C:\Program Files\Common Files\HP
2007-10-27 22:11 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-10-27 21:25 --------- d-----w C:\Program Files\Symantec
2007-10-27 21:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 07:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-26 06:30 4,416 ----a-w C:\WINDOWS\system32\tmp.reg
2007-10-24 05:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 19:48 --------- d-----w C:\Program Files\Starcraft
2007-10-23 05:31 --------- d-----w C:\Program Files\a-squared Anti-Malware
2007-10-18 19:27 --------- d-----w C:\Program Files\WhatPulse
2007-10-15 00:19 --------- d-----w C:\Program Files\Firaxis Games
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-03-04 03:26 349 ----a-w C:\Program Files\INSTALL.LOG
2007-03-04 03:05 31 ----a-w C:\Program Files\local.ini
2006-03-28 13:39 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2003-12-18 19:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 15:46 10,960 ----a-w C:\Program Files\EULA.txt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02b1b48f-763f-464d-8323-c4dc77883d0e}]
2007-11-24 23:58 79936 --a------ C:\WINDOWS\system32\rwopmhif.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-25 19:37 145984 --a------ C:\WINDOWS\system32\nhfgwhcx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\nhfgwhcx.dll [2007-11-25 19:37 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [2006-08-21 09:48]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 13:18]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 14:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-15 02:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-27 21:05]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dmrula]
dmrula.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nhfgwhcx]
nhfgwhcx.dll 2007-11-25 19:37 145984 C:\WINDOWS\system32\nhfgwhcx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnliih]
pmnliih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkji.dll


.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 20:00:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 20:02:30 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:26 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\XNeat Windows Manager\xnViewer.exe
C:\Program Files\XNeat Windows Manager\XNeatWM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/user/Lammalord
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.pwnedlist...../Planet 2.jpg
O24 - Desktop Component 1: (no name) - http://www.pwnedlist.....ce Planet.jpg
O24 - Desktop Component 2: (no name) - http://www.pwnedlist.....ed Planet.jpg
O24 - Desktop Component 3: (no name) - http://www.pwnedlist...y_Lammalord.jpg
O24 - Desktop Component 4: (no name) - http://www.solarvoya...bution-1600.JPG
O24 - Desktop Component 5: (no name) - http://gallery.artof...ia_1024x768.jpg

--
End of file - 7348 bytes

#7 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 April 2008 - 05:55 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\nhfgwhcx.dll
C:\WINDOWS\system32\rwopmhif.dll
C:\WINDOWS\system32\wyjituft.ini
C:\WINDOWS\system32\whqclmwl.exe
C:\WINDOWS\system32\oqhtarpj.dll
C:\WINDOWS\system32\byjnpbdm.ini
C:\WINDOWS\system32\mdbpnjyb.dll
C:\WINDOWS\system32\dbabhpmn.exe
C:\WINDOWS\system32\yorrohei.ini
C:\WINDOWS\system32\kpwuxxam.dll
C:\WINDOWS\system32\bigcxmlb.exe
C:\WINDOWS\system32\swleibuf.dll
C:\WINDOWS\system32\xtbfurvd.ini
C:\WINDOWS\system32\dvrufbtx.dll
C:\WINDOWS\system32\kxiulart.exe
C:\WINDOWS\system32\oflgouqa.ini
C:\WINDOWS\system32\mokbjqbg.dll
C:\WINDOWS\system32\focwbpvk.dll
C:\WINDOWS\system32\jaorlyiu.dll
C:\WINDOWS\system32\bqnrgjng.exe
C:\WINDOWS\system32\pmtfdrvo.ini
C:\WINDOWS\system32\ovrdftmp.dll
C:\WINDOWS\system32\ftjtwbgj.dll
C:\WINDOWS\system32\plfayttp.ini
C:\WINDOWS\system32\bjdcyuub.dll
C:\WINDOWS\system32\dycbqndq.ini
C:\WINDOWS\system32\skkxtvas.dll
C:\WINDOWS\system32\rmqigdys.exe
C:\WINDOWS\system32\efnsnebd.ini
C:\WINDOWS\system32\dbensnfe.dll
C:\WINDOWS\system32\wxfwmruq.exe
C:\WINDOWS\system32\dteoqecb.ini
C:\WINDOWS\system32\heqpsxgu.exe
C:\WINDOWS\system32\bnaaqdmn.ini
C:\WINDOWS\system32\selffjxs.exe
C:\WINDOWS\system32\pgbwflaf.exe
C:\WINDOWS\system32\ndddxihn.exe
C:\WINDOWS\system32\rnxendxk.ini
C:\WINDOWS\system32\qmoqupmb.exe
C:\WINDOWS\system32\ofdelfvg.ini
C:\WINDOWS\system32\hrxarjah.exe
C:\WINDOWS\system32\gwnlirng.ini
C:\WINDOWS\system32\hduiihjv.ini
C:\WINDOWS\system32\ktpwbkjn.ini
C:\WINDOWS\system32\jbwidlia.ini
C:\WINDOWS\system32\jjpijfpm.ini
C:\WINDOWS\system32\csbbdjbo.tmp
C:\WINDOWS\system32\csbbdjbo.ini
C:\WINDOWS\system32\pcftapvv.ini
C:\WINDOWS\system32\rnkfavcf.dll
C:\WINDOWS\system32\opvxhmas.dll
C:\WINDOWS\system32\wmqjkqft.dll
C:\WINDOWS\system32\cegsthiw.dll
C:\WINDOWS\system32\lyrcmsjh.ini
C:\WINDOWS\system32\taipnbwk.dll
C:\WINDOWS\system32\tfutijyw.dll
C:\WINDOWS\system32\sypphxgk.exe
C:\WINDOWS\system32\aquoglfo.dll
C:\WINDOWS\system32\agxkyqbl.exe
C:\WINDOWS\system32\tregckyl.exe
C:\WINDOWS\system32\abywhpfa.dll
C:\WINDOWS\system32\ajcodoqc.exe
C:\WINDOWS\system32\tvrrwvsq.exe
C:\WINDOWS\system32\nhfgwhcx.dll
C:\WINDOWS\system32\pmkji.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02b1b48f-763f-464d-8323-c4dc77883d0e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dmrula]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nhfgwhcx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnliih]

Save this as Save this as "CFScript"


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 08 April 2008 - 02:54 PM

ComboFix 07-11-19.3 - Owner 2007-11-25 19:39:33.1 - NTFSx86

-i just relized the date here is 5 months agao, last time i ran Combofix.. hmmm problem!

i did previously install combofix to my desktop and did remove it before downloading the newer version from the link you gave me, did something go wrong?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:57 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\XNeat Windows Manager\xnViewer.exe
C:\Program Files\XNeat Windows Manager\XNeatWM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/user/Lammalord
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-413027322-725345543-1003\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.pwnedlist...../Planet 2.jpg
O24 - Desktop Component 1: (no name) - http://www.pwnedlist.....ce Planet.jpg
O24 - Desktop Component 2: (no name) - http://www.pwnedlist.....ed Planet.jpg
O24 - Desktop Component 3: (no name) - http://www.pwnedlist...y_Lammalord.jpg
O24 - Desktop Component 4: (no name) - http://www.solarvoya...bution-1600.JPG
O24 - Desktop Component 5: (no name) - http://gallery.artof...ia_1024x768.jpg

--
End of file - 7404 bytes





There are no Pop-ups/problems that are occuring right now but the following folders are still in my program files:

180search assistant
Bat
Seekmo
stc
Sysmnt
Zango

i also dont know what qoobox is...

im also not sure combofix is working correctly... is it suppose to pop up a blue screen which dissapears after about a second then end?

Edited by Lammalord, 08 April 2008 - 03:00 PM.


#9 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 April 2008 - 03:03 PM

i also dont know what qoobox is...

im also not sure combofix is working correctly... is it suppose to pop up a blue screen which dissapears after about a second then end?

Qoobox is part of Combofix and has the infected files in it.
Combofix should have open a text file after it completed.

Delete these folders:
180search assistant
Seekmo
Sysmnt
Zango


I don't know what these are. If you didn't install them, delete as well
stc
Bat


Let me know how that goes

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 08 April 2008 - 03:07 PM

well, that may be a problem i never did get a txt file that popped up when completed, i just followed the directions you showed on a pervious post and apperntly found an old combofix log placed there 5 months agao rather than the one from the most recent scan. i unblocked combofix, but it still does the same thing, blue screen that dissapears and no txt file when its completed pops up. is something stopping it? i geuss ill try to remove and reinstall combofix, again. now i just gotta cross my fingers and hope thouse files dont reappear again (as they have in the past)

Edited by Lammalord, 08 April 2008 - 03:09 PM.

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 April 2008 - 03:11 PM

Owner 2007-11-25 19:39:33.1
I should have noticed the date.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    [list]
  • Posted Image


Next:

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 08 April 2008 - 04:11 PM

Uhm, Problem. Combofix will not finish on my computer after 3 attempts.. 1st attempt it crashed on stage 31 2nd attempt it crashed on stage 30 3rd attempt it crashed on stage 35 every time the computer complety froze (no mouse movement, none of the keys worked, and the crusor on combofix stopped flashing) and i had to hard boot the computer...

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 April 2008 - 04:17 PM

Could be your Avast stopping it.
Lets try this;

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 Lammalord

Lammalord

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 08 April 2008 - 04:18 PM

i shut down avast thinking that, that time it managed to get to stage 35...

#15 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 April 2008 - 04:23 PM

Run the last post I made then we'll try Combofix after that

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users